Re: [ietf] DNS spoofing at captive portals
"Richard L. Barnes" <rbarnes@bbn.com> Fri, 24 September 2010 16:00 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 739013A6B00 for <ietf@core3.amsl.com>; Fri, 24 Sep 2010 09:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.258
X-Spam-Level:
X-Spam-Status: No, score=-102.258 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0NdmpgF3g1GW for <ietf@core3.amsl.com>; Fri, 24 Sep 2010 09:00:19 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 1A4593A6B7B for <ietf@ietf.org>; Fri, 24 Sep 2010 09:00:19 -0700 (PDT)
Received: from ros-dhcp192-1-51-60.bbn.com ([192.1.51.60]:62942) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OzAhe-000I0j-QK; Fri, 24 Sep 2010 12:00:51 -0400
Message-Id: <E4B99AF3-13D0-4B99-9365-88E181C6A1C6@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Alfred HÎnes <ah@TR-Sys.de>
In-Reply-To: <201009241238.OAA29283@TR-Sys.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v936)
Subject: Re: [ietf] DNS spoofing at captive portals
Date: Fri, 24 Sep 2010 12:00:49 -0400
References: <201009241238.OAA29283@TR-Sys.de>
X-Mailer: Apple Mail (2.936)
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:00:21 -0000
This document is probably relevant, although it goes the route of "providing guidelines for minimum breakage" rather than forbidding. <http://tools.ietf.org/html/draft-livingood-dns-redirect-02> On Sep 24, 2010, at 8:38 AM, Alfred HÎnes wrote: > At Fri, 24 Sep 2010 07:21:21 -0400, Michael Richardson wrote: > >> Has the IETF (or rather then IAB) written any simple documents that >> explain to less informed (i.e. marketing/product) managers why it >> is a bad thing for a captive portal to spoof DNS replies? >> (not just in regard to DNSSEC, but also in regards to just caching) > > a) Most of the arguments explained in the 2003 IAB Commentary: > "Architectural Concerns on the use of DNS Wildcards", > <http://www.IAB.ORG/documents/docs/2003-09-20-dns-wildcards.html>, > apply in a similar fashion, but it indeed would be a good idea > to produce such document. I think much text from 2003 could > be leveraged. > > b) It should be clearly spelled out that this practice falls among the > category of actions commonly known as man-in-the-middle attacks. > > c) draft-livingood-dns-redirect and draft-livingood-dns-malwareprotect > descibe these "services" in a much too friendly tone; > terms like "service" and "benefits for users" are clearly > abuse of language -- the above IAB statement already indicates > that similar interference with the DNS causes severe damage > to user perception and performance. > These drafts should clearly spell out the downside of these > methods and their fundamental nature, being MitM attacks. > > d) In my personal opinion, the original idea of having recursive > DNS resolvers located "close to the hosts" should be given more > traction again in the future. All kinds of SOHO access gateways > or home gateways should preferably offer (locally) full recursive > and validating DNS resolution service. The ISP-based DNS recursor > was (and perhaps still is) a good idea in low-bandwidth (dial-in) > access networks, where the (bandwidth and monetary) costs of full > DNS service actually matter and are detrimental for the users, but > it does not make sense any more for broadband access networks with > (almost) bandwidth-usage independent billing models (flat rates). > > Thus the dependency on (both technically and policy-wise!) powerful > "central" caching resolvers could be reduced dramatically. > DNSSEC validation makes most sense for applications when performed > as close as possible to the stub resolver, if the latter cannot > perform this function itself; this way, the unprotected path > at least is constrained to within the users' sites and hence their > own "administrative domain". > Experience has shown that huge central resolver systems are very > attractive targets for external attacks as well as for insider > attacks (like ${subject}). > > Kind regards, > Alfred HÎnes. > > -- > > +------------------------ > +--------------------------------------------+ > | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.- > Phys. | > | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: > -18 | > | D-71254 Ditzingen | E-Mail: ah@TR- > Sys.de | > +------------------------ > +--------------------------------------------+ > > - > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf
- DNS spoofing at captive portals Michael Richardson
- Re: [ietf] DNS spoofing at captive portals Alfred Hönes
- Re: [ietf] DNS spoofing at captive portals Richard L. Barnes
- Re: [ietf] DNS spoofing at captive portals Livingood, Jason
- Re: [ietf] DNS spoofing at captive portals Paul Hoffman
- Re: [ietf] DNS spoofing at captive portals Keith Moore
- Re: [ietf] DNS spoofing at captive portals John Levine
- Re: [ietf] DNS spoofing at captive portals Steven Bellovin
- Re: [ietf] DNS spoofing at captive portals John R. Levine
- Re: [ietf] DNS spoofing at captive portals John Levine
- Re: [ietf] DNS spoofing at captive portals bill manning
- Re: [ietf] DNS spoofing at captive portals John R. Levine
- Re: [ietf] DNS spoofing at captive portals Keith Moore
- Re: [ietf] DNS spoofing at captive portals David Conrad
- Re: [ietf] DNS spoofing at captive portals John R. Levine
- Re: [ietf] DNS spoofing at captive portals Tony Finch
- Re: [ietf] DNS spoofing at captive portals W.C.A. Wijngaards
- Re: [ietf] DNS spoofing at captive portals Phillip Hallam-Baker
- Re: [ietf] DNS spoofing at captive portals Phillip Hallam-Baker
- Re: [ietf] DNS spoofing at captive portals bmanning
- Re: [ietf] DNS spoofing at captive portals Phillip Hallam-Baker
- Re: [ietf] DNS spoofing at captive portals Tony Finch
- Re: [ietf] DNS spoofing at captive portals bill manning
- Re: [ietf] DNS spoofing at captive portals Tony Finch
- Re: [ietf] DNS spoofing at captive portals Phillip Hallam-Baker
- Re: [ietf] DNS spoofing at captive portals Phillip Hallam-Baker
- Re: [ietf] DNS spoofing at captive portals Mark Andrews
- Re: [ietf] DNS spoofing at captive portals Phillip Hallam-Baker
- Re: [ietf] DNS spoofing at captive portals Rich Kulawiec